Following are examples of commands used to run the tcpdump utility: 10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7,
9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2,
9.4.1, 9.4.0, 9.3.1, 9.3.0, 9.2.5,
Selecting an Interface or VLAN 9.2.4, 9.2.3, 9.2.2
BIGIP Link Controller
The tcpdump utility is able to sniff for packets on only one interface or VLAN. 11.6.0, 11.5.2, 11.5.1, 11.5.0,
By default, it selects the lowest numbered interface. 11.4.1, 11.4.0, 11.3.0, 11.2.1,
11.2.0, 11.1.0, 11.0.0, 10.2.4,
To select an interface, use the i flag, as follows: 10.2.3, 10.2.2, 10.2.1, 10.2.0,
10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7,
9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2,
tcpdump i <interface> 9.4.1, 9.4.0, 9.3.1, 9.3.0, 9.2.5,
9.2.4, 9.2.3, 9.2.2
For example: BIGIP PEM
11.6.0, 11.5.2, 11.5.1, 11.5.0,
To tcpdump a specific interface: 11.4.1, 11.4.0, 11.3.0
BIGIP PSM
tcpdump i 2.1 11.4.1, 11.4.0, 11.3.0, 11.2.1,
11.2.0, 11.1.0, 11.0.0, 10.2.4,
tcpdump i 1.10 10.2.3, 10.2.2, 10.2.1, 10.2.0,
10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7,
To tcpdump a specific vlan: 9.4.6, 9.4.5
BIGIP WebAccelerator
tcpdump i internal 11.3.0, 11.2.1, 11.2.0, 11.1.0,
11.0.0, 10.2.4, 10.2.3, 10.2.2,
tcpdump i external 10.2.1, 10.2.0, 10.1.0, 10.0.1,
10.0.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5,
9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0
To tcpdump the management interface:
BIGIP WOM
11.3.0, 11.2.1, 11.2.0, 11.1.0,
tcpdump i eth0
11.0.0, 10.2.4, 10.2.3, 10.2.2,
10.2.1, 10.2.0, 10.1.0, 10.0.1,
Note: Do not attempt to run tcpdump on an interface that contains a colon. 10.0.0
Enterprise Manager
For example: 3.1.1, 3.1.0, 3.0.0, 2.3.0, 2.2.0,
2.1.0, 2.0.0, 1.8.0, 1.7.0, 1.6.0,
1.4.1, 1.4.0, 1.2.2, 1.2.1, 1.2.0,
eth0:mgmt 1.0.0
BIGIP Edge Gateway
Disabling name resolution 11.3.0, 11.2.1, 11.2.0, 11.1.0,
11.0.0, 10.2.4, 10.2.3, 10.2.2,
By default, tcpdump attempts to look up IP addresses and use names, rather 10.2.1, 10.2.0, 10.1.0
than numbers, in the output. The BIGIP system must wait for a response from
the DNS server, so the lookups can be time consuming and the output may be confusing.
To disable name resolution, use the n flag as in the following examples:
tcpdump n
https://support.f5.com/kb/enus/solutions/public/0000/400/sol411.print.html 2/8
5/5/2015 SOL411 Overview of packet tracing with the tcpdump utility
tcpdump ni internal
Saving tcpdump output to a file
You can save the tcpdump data to one of the following file formats:
A binary file that contains all the information collected by the tcpdump and is readable by the tcpdump utility
as well as many other traffic analysis packages.
A text file that contains a subset of the full tcpdump data, but is readable only as plain text.
When working with F5 Technical Support, you must provide the tcpdump output in the binary file format.
Binary file
To save the tcpdump output to a binary file, type the following command:
tcpdump w <filename>
For example:
tcpdump w dump1.bin
Note: The tcpdump utility does not print data to the screen while it is capturing to a file. To stop the capture, press
CTRLC.
Text file
To save the tcpdump output to a text file, type the following command:
tcpdump ><filename>
For example:
tcpdump >dump1.txt
Reading tcpdump binary file output
To read data from a binary tcpdump file (that you saved by using the tcpdump w command), type the following
command:
tcpdump r <filename>
For example:
https://support.f5.com/kb/enus/solutions/public/0000/400/sol411.print.html 3/8
5/5/2015 SOL411 Overview of packet tracing with the tcpdump utility
tcpdump r dump1.bin
In this mode, the tcpdump utility reads stored packets from the file, but otherwise operates just as it would if it
were reading from the network interface. As a result, you can use formatting commands and filters.
Beginning in BIGIP 11.2.0HF3, 11.2.1HF3, and 11.3.0, a pseudo header which includes the following parameters
is added to the start of each binary tcpdump capture:
The tcpdump command syntax used, including all options
Version of software
Hostname of the system
Platform ID
Product
Filters
The tcpdump utility allows you to use filters to, among other things, restrict the output to specified addresses,
ports, and tcp flags.
Filtering on a host address
To view all packets that are traveling to or from a specific IP address, type the following command:
tcpdump host <IP address>
For example:
tcpdump host 10.90.100.1
To view all packets that are traveling from a specific IP address, type the following command:
tcpdump src host <IP address>
For example:
tcpdump src host 10.90.100.1
To view all packets that are traveling to a particular IP address, type the following command:
tcpdump dst host <IP address>
https://support.f5.com/kb/enus/solutions/public/0000/400/sol411.print.html 4/8
5/5/2015 SOL411 Overview of packet tracing with the tcpdump utility
For example:
tcpdump dst host 10.90.100.1
Filtering on a port
To view all packets that are traveling through the BIGIP system and are either sourced from or destined to a
specific port, type the following command:
tcpdump port <port number>
For example:
tcpdump port 80
To view all packets that are traveling through the BIGIP system and sourced from a specific port, type the
following command:
tcpdump src port<port number>
For example:
tcpdump src port 80
To view all packets that are traveling through the BIGIP system and destined to a specific port, type the
following command:
tcpdump dst port <port number>
For example:
tcpdump dst port 80
Filtering on a tcp flag
To view all packets that are traveling through the BIGIP system that contain the SYN flag, type the following
command:
tcpdump 'tcp[tcpflags] & (tcpsyn) != 0'
To view all packets that are traveling through the BIGIP system that contain the RST flag, type the following
https://support.f5.com/kb/enus/solutions/public/0000/400/sol411.print.html 5/8
5/5/2015 SOL411 Overview of packet tracing with the tcpdump utility
command:
tcpdump 'tcp[tcpflags] & (tcprst) != 0'
Combining filters with the 'and' operator
You can use the and operator to filter for a mixture of output.
Following are some examples of useful combinations:
tcpdump host 10.90.100.1 and port 80
tcpdump src host 172.16.101.20 and dst port 80
tcpdump src host 172.16.101.20 and dst host 10.90.100.1
Capturing packet data
The tcpdump utility provides an option that allows you to specify the amount of each packet to capture.
You can use the s (snarf/snaplen) option to specify the amount of each packet to capture. To capture the entire
packet, use a value of 0 (zero).
For example:
tcpdump s0 src host 172.16.101.20 and dst port 80
Alternatively, you can specify a length large enough to capture the packet data you need to examine.
For example:
tcpdump s200 src host 172.16.101.20 and dst port 80
If you are using the tcpdump utility to examine the output on the console during capture or by reading from an input
file with the r option, you should also use the X flag to display ASCII encoded output along with the default HEX
encoded output.
For example:
tcpdump r dump1.bin X src host 172.16.101.20 and dst port 80
Suppressing hostname and port resolution
https://support.f5.com/kb/enus/solutions/public/0000/400/sol411.print.html 6/8
5/5/2015 SOL411 Overview of packet tracing with the tcpdump utility
The tcpdump utility provides an option that allows you to specify whether IP addresses and service ports are
translated to their corresponding hostnames and service names.
Since performing multiple name lookups during a packet capture may be resource intensive, you should disable
name resolution while capturing on a busy system using the n option.
For example:
tcpdump n src host 172.16.101.20 and dst port 80
Service port lookups incur less overhead than DNSbased name resolutions, but still are usually unnecessary while
performing a capture. You can disable both name and service port resolution while performing a capture, by using
the nn option.
For example:
tcpdump nn src host 172.16.101.20 and dst port 80
Combining tcpdump options
This article contains the most essential tcpdump options. You will generally need to use most of the options in
combination.
Following are examples of how to combine the tcpdump options to provide the most meaningful output:
tcpdump ni internal w dump1.bin
tcpdump n r dump1.bin host 10.90.100.1
tcpdump ni 2.1 host 10.90.100.1 and port 80
tcpdump ni 1.10 src host 172.16.101.20 and dst port 80 >dump1.txt
tcpdump Xs200 nni eth0 w /var/tmp/mgmt.cap dst host 172.16.101.20 and dst port 162
Advanced tcpdump topics
The following articles cover advanced tcpdump topics:
SOL1893: Packet trace analysis
SOL13637: Capturing internal TMM information with tcpdump
SOL7227: Using tcpdump to view traffic on a tagged VLAN
SOL13328: Troubleshooting LDAP authentication with tcpdump
https://support.f5.com/kb/enus/solutions/public/0000/400/sol411.print.html 7/8
5/5/2015 SOL411 Overview of packet tracing with the tcpdump utility
SOL13301: Overview of packet tracing a BIGIP APM Network Access tunnel with
the tcpdump utility
SOL7823: Troubleshooting and debugging Enterprise Manager iControl
connectivity
SOL5564: Saving large tcpdump packet traces when disk space is limited
SOL2289: Using advanced tcpdump filters
Supplemental information
SOL6546: Recommended methods and limitations for running tcpdump on a BIGIP system
SOL4714: Performing a packet trace and providing the results to F5 Technical
Support
SOL10319: Using the tcpdump utility disables hardware checksum offloading
https://support.f5.com/kb/enus/solutions/public/0000/400/sol411.print.html 8/8